fix(aws service): use http client when building assume role for Acces…

…sKey (#20285) * Use http client when building assume role for AccessKey. Signed-off-by: Stephen Wakely <[email protected]> * Added changelog. Signed-off-by: Stephen Wakely <[email protected]> * Add custom http connector for file auth. Signed-off-by: Stephen Wakely <[email protected]> * Formatting Signed-off-by: Stephen Wakely <[email protected]> --------- Signed-off-by: Stephen Wakely <[email protected]>
vectordotdev · Apr 14, 2024 · 1b0bdcf · 1b0bdcf
1 parent fae2ebf
commit 1b0bdcf
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 20 deletions.
diff --git a/changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md b/changelog.d/20282_aws_access_key_id_and_assume_role_auth.fix.md
@@ -0,0 +1,5 @@
+Vector would panic when attempting to use a combination af `access_key_id` and
+`assume_role` authentication with the AWS components. This error has now been
+fixed.
+
+authors: StephenWakely
diff --git a/src/aws/auth.rs b/src/aws/auth.rs
@@ -206,6 +206,33 @@ impl AwsAuthentication {
         }
     }
 
+    /// Create the AssumeRoleProviderBuilder, ensuring we create the HTTP client with
+    /// the correct proxy and TLS options.
+    fn assume_role_provider_builder(
+        proxy: &ProxyConfig,
+        tls_options: &Option<TlsConfig>,
+        region: &Region,
+        assume_role: &str,
+        external_id: Option<&str>,
+    ) -> crate::Result<AssumeRoleProviderBuilder> {
+        let connector = super::connector(proxy, tls_options)?;
+        let config = SdkConfig::builder()
+            .http_client(connector)
+            .region(region.clone())
+            .time_source(SystemTimeSource::new())
+            .build();
+
+        let mut builder = AssumeRoleProviderBuilder::new(assume_role)
+            .region(region.clone())
+            .configure(&config);
+
+        if let Some(external_id) = external_id {
+            builder = builder.external_id(external_id)
+        }
+
+        Ok(builder)
+    }
+
     /// Returns the provider for the credentials based on the authentication mechanism chosen.
     pub async fn credentials_provider(
         &self,
@@ -228,12 +255,13 @@ impl AwsAuthentication {
                 ));
                 if let Some(assume_role) = assume_role {
                     let auth_region = region.clone().map(Region::new).unwrap_or(service_region);
-                    let mut builder =
-                        AssumeRoleProviderBuilder::new(assume_role).region(auth_region);
-
-                    if let Some(external_id) = external_id {
-                        builder = builder.external_id(external_id)
-                    }
+                    let builder = Self::assume_role_provider_builder(
+                        proxy,
+                        tls_options,
+                        &auth_region,
+                        assume_role,
+                        external_id.as_deref(),
+                    )?;
 
                     let provider = builder.build_from_provider(provider).await;
 
@@ -245,14 +273,20 @@ impl AwsAuthentication {
                 credentials_file,
                 profile,
             } => {
+                let connector = super::connector(proxy, tls_options)?;
+
                 // The SDK uses the default profile out of the box, but doesn't provide an optional
                 // type in the builder. We can just hardcode it so that everything works.
                 let profile_files = ProfileFiles::builder()
                     .with_file(ProfileFileKind::Credentials, credentials_file)
                     .build();
+
+                let provider_config = ProviderConfig::empty().with_http_client(connector);
+
                 let profile_provider = ProfileFileCredentialsProvider::builder()
                     .profile_files(profile_files)
                     .profile_name(profile)
+                    .configure(&provider_config)
                     .build();
                 Ok(SharedCredentialsProvider::new(profile_provider))
             }
@@ -264,20 +298,13 @@ impl AwsAuthentication {
                 ..
             } => {
                 let auth_region = region.clone().map(Region::new).unwrap_or(service_region);
-                let connector = super::connector(proxy, tls_options)?;
-                let config = SdkConfig::builder()
-                    .http_client(connector)
-                    .region(auth_region.clone())
-                    .time_source(SystemTimeSource::new())
-                    .build();
-
-                let mut builder = AssumeRoleProviderBuilder::new(assume_role)
-                    .region(auth_region.clone())
-                    .configure(&config);
-
-                if let Some(external_id) = external_id {
-                    builder = builder.external_id(external_id)
-                }
+                let builder = Self::assume_role_provider_builder(
+                    proxy,
+                    tls_options,
+                    &auth_region,
+                    assume_role,
+                    external_id.as_deref(),
+                )?;
 
                 let provider = builder
                     .build_from_provider(